The General Data Protection Regulation (DSGVO, eng. GDPR) regulates the processing of personal data, this phrase can often be read in the media. Inevitably, one thinks of large technology companies such as Facebook, Google or Amazon. If you go a step further, the large retail chains with their loyalty cards, etc. come to mind. The fact that this regulation affects even the smallest businesses and that industries such as electricians, plumbers, hairdressers, car repair shops, restaurants or construction companies also process personal data is surprising. There are probably only a handful of companies that are not covered by the new data protection law. In addition, not only companies are subject to the new data protection regulations, but also other organizations such as associations, public authorities or interest groups. Put simply, everyone except private individuals must comply with the General Data Protection Regulation.
Do we process personal data?
Personal data is a broad term and includes not only customer data but all data that can be associated with a person (natural person). Therefore, the following data are also to be considered personal data in the sense of the GDPR:
- Customer numbers, with these you identify your customers clearly
- Telephone numbers, in this day and age, almost every person has a personal cell phone, the days of shared connections (quarter phone, landline) are largely over, so the phone number is also personal data. If you save contacts in the phone, this is also processing within the meaning of the General Data Protection Regulation.
- Account numbers, the bank account is assigned to a specific person, therefore it can be identified by this information
- Social security numbers, without a social security number no employees can be registered with the authorities nowadays, with a SV number you can uniquely identify each citizen, therefore it is personal data in the sense of the GDPR
- E-mail addresses, you have an e-mail account yourself and receive messages from customers with it? This means that you process personal data and are therefore covered by the General Data Protection Regulation
- Appointment calendar, customers can make an appointment with you or you are an innkeeper and offer the possibility of table reservation? So that you do not forget them write them in a calendar, including name and phone number. It makes no difference whether you keep the calendar handwritten or created it on the computer, you have processed personal data.
These are just a few examples where even the smallest companies process personal data. However, associations are also covered by the General Data Protection Regulation if these data are available.
What do I have to do?
As soon as personal data is processed in a company or an association, the GDPR applies. Thereby, the entry hurdle is high, regardless of the amount and regularity of processing, certain requirements must be fully met. Thus, risk analysis and processing directory of each case are to be prepared. Data protection measures (both organizational and technical) must also be carried out in accordance with the state of the art and subsequently documented.
You will receive more detailed information in our workshop, among others.
What are the solutions?
The GDPR-compliant implementation can be roughly divided into three points that should be considered by every company
Organizational measures include all optimizations that improve data protection and data security in the company. This includes not only training in the area of data protection, but also process optimization to ensure that personal data cannot be viewed by unauthorized persons. Some key points are:
- Document destruction with document shredders
- Document storage in lockable cabinets or rooms
- Reduction of data acquisition
- Installation of alarm systems and access controls at sites with personal data
In addition, there are a number of other points that need to be considered. With easyGDPR Consulting we support you in identifying necessary measures and implementing them in compliance with the GDPR.
The technical measures include all steps in the area of IT security and cybersecurity. Access to personal data must be prevented by appropriate access protection. In addition to data security, the issues of data availability, data integrity and data confidentiality must also be considered.
As a certified Sophos partner company, we can provide you with solutions to all of these issues. Only Sophos provides you with all the necessary products as an intelligent complete package including Synchronized Security. Your security solutions communicate with each other in the process, ensuring optimal protection. In addition, you benefit from our years of experience as an IT company.
You must document in writing all measures provided. In addition, it must also be written down why other steps were not taken. The basis of this mandatory documentation is the risk analysis, which every company must carry out. This process must also be recorded on paper.
The risk analysis and the associated documentation are not the only points that need to be written down. Companies must record which personal data is collected by which business processes, the legal basis for storing it, and how long it is stored. In the digital age, almost every field of activity collects such information, whether through emails, accounting, payroll, customer acquisition, etc.
Each process shall be documented in detail. You can do this work quickly and legally with easyGDPR. With appropriate templates, most business processes are already recorded and documented at the click of a mouse.
easyGDPR is your reliable and competent partner for all questions regarding the DSGVO. Whether consulting, IT security or documentation – with easyGDPR you can solve the challenge of “DSGVO” quickly, efficiently and cost-effectively.